Organisations are becoming more complex and engaging technology to access suppliers around the world. With this opportunity comes greater exposure to cyber-attacks that could bring severe damage to their businesses.
Supply chains have always presented risks, but with the digital age increasing the reach and number of linked businesses, a simple contract or a basic device like an RFID tag could now be a ‘Trojan Horse’ for potential cyber-security issues.
“Technology is a critical link between organisations and their suppliers,” says Stan Gallo, Partner, Forensic, KPMG. “That opens channels for malevolent forces to access their business systems, not only directly, but through their suppliers becoming secondary targets.”
If suppliers have poor IT security, there is greater potential for Intellectual Property, customer information or a business strategy to be exposed. Gordon Archibald, Partner, Technology Risk & Assurance, KPMG, warns that as suppliers engage and share information with third and fourth party support to fulfil contracts, countless people could be accessing those details.
“Organisations are more dependent than ever on third parties, whether that be a cloud provider, telco provider or application services,” he says. “The old adage that you should keep key assets within the bounds of the business is gone.”
The onus is on organisations to manage the cyber risks in their supply chains, to prevent cyber-attack, costly fines or major reputational damage.
“As organisations become more interconnected and dependent on each other, it is critical that they understand exactly who is involved in their supply chain process,” Gallo says.
As every industry increases its engagement with suppliers – from manufacturing goods to accessing online software or arranging global transportation – they are all exposed to greater cyber risk.
“Particularly vulnerable are telecommunications companies and online entities with online suppliers, through the mass ratio and exposure to the internet,” Gallo says.
Large health and pharmaceutical organisations are high-value targets, while small health-orientated businesses can be attractive due to their embedded links to hospitals or government agencies, together with a perception of weak security.
Carly Richards, Director, Contract Compliance Advisory, KPMG, says small businesses are particularly vulnerable to ransom attacks.
“Ransom attacks, where malicious parties take an operating system hostage, should be taken seriously by small-to mid-markets,” she says. “Customer data, credit cards, consumer activity and personal details are all hugely marketable. Customers increasingly want to be assured that they can trust you with their details.”
When an organisation is subject to cyber-attack through its supply chain, immense damage can unfold, harming the business, its customers, stakeholders and reputation.
Gallo gives an example of an organisation that faced a security breach via its supplier network that led to significant problems with its operating system.
“Their sales force was connecting to their system via laptops, and hackers were able to ‘bunny hop’ from the laptops into the core server. The hackers were able to initiate data transfers and uploads, and the organisation’s system became infected. This could provide inroads into multiple companies,” he says.
Businesses also face possible fines or disciplinary action for breaches, regardless if the issue is caused far along their supply chain. Archibald says updates to the Australian Privacy Act show recognition that customer data and personally identifiable information must be protected.
“We’re starting to see more stringent requirements around the Privacy Act and mandatory breach disclosures,” he says.
Despite the obvious threats, Richards says many organisations still lack a cyber-attack prevention plan.
“Most organisations are already being targeted even if they don’t realise it – spam emails, phishing attacks and denial of service are all indicators.”
Archibald adds that delving into the technology aspect of a complex, multi-vendor supply chain can be daunting.
“Organisations are dealing with multiple vendors that have multiple systems that store data in multiple locations. There is a lack of visibility around how that information is protected,” he says.
Regardless of the challenges, a technology risk management strategy must be implemented. Archibald says to begin by identifying risks, alerting directors and boards, and setting a risk appetite.
“Management can’t just delegate this to the IT department anymore,” he says.
The next step, according to Gallo, is to research the suppliers, their reputation and linked organisations.
“Do due diligence to understand who your suppliers are and what dealings they have. Also research their suppliers further down the chain,” he says.
This involves examining their IT security, invoicing, contact methods, system logins and more.
To manage the load, Archibald recommends implementing technology automated tracking, monitoring and reporting systems.
“The key thing is to get away from humans doing all things manually, to automate as much as possible, and then have human experience embedded in the controls,” he says.
Maurice Pagnozzi, Partner, Contract Compliance Advisory, KPMG, says to input mandatory expectations into contracts regarding security levels and assurance checks. He says to be clear about “who owns what” information.
“In some situations your supplier will outsource, therefore they are taking on board a lot of your responsibilities. Is there clarity around the Service Level Agreement (SLA) and what your expectations are for the outcomes?” he says.
Gallo adds that there needs to be clear definitions of what every party will do if a technology breach occurs.
“If you are outsourcing your IT environment, and the supplier goes down, or if there is a dispute over contract money, do you still have access to your data? If your supplier is breached, what’s the process around response and resilience? Australia’s mandatory breach reporting legislation is on the cusp of assent and affected business will need to comply. Where does the responsibility lie – with the business or the supplier?” he says.
Managing the technology risk in a supply chain may take effort, but it is not without reward, Pagnozzi says.
“You’re not spending time chasing your tail when you should spend it on strategic activities. You’ll deliver a much leaner process with more value and much stronger relationships where your suppliers have frameworks to deliver to their SLAs, and you have transparency of this framework,” he says.
It all comes back to upholding strategy, reputation and sustainability.
“If shareholders and stakeholders are relying on you to deliver profit, you’re going to fail if you’re not managing your supply chain,” Pagnozzi says.
Many organisations are struggling to manage a large volume of suppliers, meaning they could be missing out on value in their contracts. Find out more in Supply chain capacity management – the key to value.
©2020 KPMG, an Australian partnership and a member firm of the KPMG global organisation of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved. The KPMG name and logo are trademarks used under license by the independent member firms of the KPMG global organisation.
Liability limited by a scheme approved under Professional Standards Legislation.
For more detail about the structure of the KPMG global organisation please visit https://home.kpmg/governance.